Helmet
Helmet helps you secure your Express apps by setting various HTTP headers. It's not a silver bullet, but it can help!
Looking for a version of Helmet that supports the Koa framework?
Quick start
First, run npm install helmet --save
for your app. Then, in an Express (or Connect) app:
const express = require("express");
const helmet = require("helmet");
const app = express();
app.use(helmet());
It's best to use
Helmet early in your middleware stack so that its headers are sure to be set.
You can also use its pieces individually:
app.use(helmet.xssFilter());
app.use(helmet.frameguard());
You can disable a middleware that's normally enabled by default. This will disable frameguard
but include the other defaults.
app.use(
helmet({
frameguard: false,
})
);
You can also set options for a middleware. Setting options like this will always include the middleware, whether or not it's a default.
app.use(
helmet({
frameguard: {
action: "deny",
},
})
);
If you're using Express 3, make sure these middlewares are listed before app.router
.
How it works
Helmet is a collection of 11 smaller middleware functions that set HTTP response headers. Running app.use(helmet())
will not include all of these middleware functions by default.
You can see more in the documentation.